Reducing the cognitive burden in cyber defence

It’s no secret that the volume, sophistication and impact of cyber attacks are continuing to rise and with this detection systems are raising ever increasing volumes of alerts and logs. Cyber analysts play a vital role in the operational security of business critical networks but the increasing cognitive burden placed upon them is not sustainable.

The reason for this is that there are two BIG PROBLEMS with cyber analysts…

BIG PROBLEM #1: They’re only human.

Some might disagree — not that cyber analysts are human (although there are some who are so talented that they stretch the very definition!), but that the very fact they are human is a weakness. And to some degree they’d be right. The human brain is amazing at spotting patterns in what appears to be a disparate and confusing world of chaos. Machine Learning is catching up, but human brains are currently, still, better value for money in spotting things that haven’t been spotted before.

Where the human frailty plays a part is in our ability to continue to make complex decisions over long periods of time.

Logical thinking and decision making is expensive when it comes to power usage in the human body. That’s why Spock never wasted calories on a smile, why we have biscuits in meetings, and why (hopefully), there will be cake waiting for us in-between our talks at the InfoSecurity2017 conference next week — to replenish our brains with energy so that we can continue to concentrate!

But calories alone aren’t enough, and even the fittest minds with copious calories will eventually become exhausted.

Next time you’re standing in-line at airport security, you’ll notice that the people concentrating at the X-Ray machines swap over every 20 minutes or so, changing from the high concentration job of looking for bad things to more manual and menial jobs of asking people if they can take their shoes and belts off…

Legend has it that the reason Steve Jobs always wore his iconic black polo neck and jeans, and why Mark Zuckerberg always wears the same coloured T-shirt or hoody is because it is one less decision to make each day, giving their brains more cognitive capacity to worry about the more important decisions that need to be made.

Closer to home, how many of us have experienced those moments after an incredibly busy day at work making difficult decisions on behalf of the people in your company or your customers? For example, when you get home and your partner asks you:

shall we go to your mum’s or mine for Christmas?;

we need to decide where we’re going on holiday; or

would you like red wine or white?

Boom! Too many difficult decisions for one day! Time for a break!

So if human beings are great at thinking, they just can’t concentrate hard for long periods of time, then when it comes to cyber defence, why don’t we solve the problem like airport security do with short 20 minute shifts and high levels of rotation. We just need to get more cyber analysts, right? And this brings us onto the second BIG PROBLEM with cyber analysts:

BIG PROBLEM #2: There aren’t enough cyber analysts. In the world!

Anyone who’s been involved in cyber analyst recruitment knows how hard it is to find experienced professionals in this area. Cisco have reported that there are 1 million unfilled jobs in cyber security worldwide, and Forbes estimated that there will be a shortfall of 1.5m cyber analysts by 2019.

So if machine learning (ML) can’t do what humans can do, and if there aren’t enough humans to do the jobs that need doing, we need to do more with the cyber analysts we’ve got. Here at Deep Sky Blue, we believe that the way we get more out of our cyber analysts is by getting them to do less:

Less banal decision making…

Less decisions on how to do something…

Less decisions on analysing false positives…

This is the background that led to our Dstl joint-funded project aimed at lightening the cognitive load for cyber analysts, helping them reach their objectives, and why we called the project Sherpa.

The Sherpa project delivered a prototype that automates aspects of the cyber event triage process. We used machine learning techniques to spot patterns of events based upon similarities to other patterns of events in its cyber defence library, automatically prioritise events and recommend courses of action in response.

The User Interface and User Experience (UX) design was influenced by psychological and cognitive load theories and aims to reduce extraneous cognitive load by reducing the number of decisions that need to be made when using the system. Workflows, font design, colour theory, and keyboard control all form part of an interface that is intuitive to use and reduces the many micro-decisions analysts have to take when using more traditional tools… By taking away the decisions a cyber analyst shouldn’t have to make, we aimed to induce the psychological state of flow… a state that allows people to remain focused, in the zone as it were, for hours at a time.

Together, we believe this ML + UX combination can turn mere mortal cyber analysts into superhuman cyber analysts, with the right information to make the right decisions for longer.

As well as creating knowledge and learning for Dstl, the Sherpa project has also been hugely beneficial to us at Deep Sky Blue as a company. It’s been an exciting and different type of project for the team, creating new skills that we’re now able to provide to our customers. We have IP, not just in the prototype product itself, but also in the knowledge that we’ve generated across the company. Again, this has value in the day to day work we deliver, but also there’s a mountain of knowledge and IP here that could have value to the SIEM sector.

I’ll be running through the Sherpa project in my talk at Infosec2017 on Tuesday 6th June at 15:10 and again on Wednesday 7th at 12:55. And of course, pop over to our stand at T10o where we can show you a little more about the Sherpa project, the way that we approach software development and how Deep Sky Blue could help your business.

Archives

Categories

Deep Sky Blue’s training and consultancy services are designed and delivered, not by full time trainers or consultants, but by engineers and experts who have continue to use the technologies and techniques to solve real world problems.

Elasticsearch – from development to production

Delivered by Ian Park, responsible for the successful delivery of one of the largest production Elasticsearch clusters in UK Government, our course is designed to address the areas that you cannot uncover studying the existing Elasticsearch books and online documentation. The information contained in the course has been developed through real world experience, taking delegates with little or no knowledge of Elasticsearch and providing them with a deep insight into the issues and pitfalls of implementing a production cluster. We cover a wide spectrum of topics from initial installation, simple indexing and querying through to visualisation with kibana, cluster management, performance tuning and problem resolution.

For more information on training courses, or to book contact training@deepskyblue.com

Research and Innovation

At Deep Sky Blue our passion for technology and making a difference in the world drives us to innovate. We know that in the fast moving world of technology, to stand still is to go backwards and so we invest in an active Research and Development pipeline, out of which we develop new and innovative ways of solving the challenges of tomorrow. This also gives our people the opportunity to work with leading edge technology, tools and techniques.

Deep Sky Blue are proud to be working with DSTL and the Ministry of Defence on the research and development of the Sherpa project. Through our research into the combination of Machine Learning and User Centred Design techniques we have identified new ways to transform the way organisations defend against the growing threat of cyber attacks.

At Deep Sky Blue, we love technology and we are passionate about the difference it can make; but we also know this is only part of the solution. We thrive on working alongside our customers in incredibly complex and challenging domains to understand their business problems and ensure our solutions deliver real value.

We pride ourselves on our excellent delivery track record and our approach to software engineering is underpinned by agile and lean practices that ensure we deliver value early and that our solutions adapt to the changing needs and priorities of our customers.

DevOps

Our DevOps approach, where support, maintenance and ongoing development are delivered by a single team, ensures that vital business functions remain operational and the products we support evolve over time providing value long into the future.